Massachusetts Notice of Psychologists’ Policies and Practices to Protect Your Health Information Privacy
THIS NOTICE DESCRIBES HOW PSYCHOLOGICAL AND MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
I.Uses and Disclosures for Treatment, Payment, and Health Care Operations: I may use or disclose your protected health information (PHI), for treatment, payment, and health care operations purposes with your consent. To help clarify these terms, here are some definitions:
- “PHI” refers to information in your health record that could identify you.
- “Treatment, Payment and Health Care Operations” Treatment is when I provide, coordinate or manage your health care and other services related to your health care. An example of treatment is when I consult with another health care provider, such as your family physician or another psychologist.
- Payment is when I obtain reimbursement for your healthcare. Examples are when I disclose your PHI to your health insurer to obtain reimbursement for your health care or determine eligibility or coverage.
- Health Care Operations are activities that relate to the performance and operation of my practice. Examples of health care operations are quality assessment and improvement activities, business-related matters, such as audits and administrative services, and case management and care coordination.
- “Use” applies only to activities within my [office, clinic, practice group, etc.], such as sharing, employing, applying, utilizing, examining, and analyzing information that identifies you. \
- “Disclosure” applies to activities outside of my [office, clinic, practice group, etc.], such as releasing, transferring, or providing access to information about you to other parties.
II. Uses and Disclosures Requiring Authorization: I may use or disclose PHI for purposes outside of treatment, payment, and health care operations when your appropriate authorization is obtained. An “authorization” is written permission above and beyond the general consent that permits only specific disclosures. In those instances when I am asked for information for purposes outside of treatment, payment and health care operations, or in a way that is not described in this notice and for psychotherapy notes. I will obtain an authorization from you before releasing this information. I will also need to obtain an authorization before releasing your psychotherapy notes. “Psychotherapy notes” are notes I have made about our conversation during a private, group, joint, or family counseling session, which I have kept separate from the rest of your medical record. These notes are given a greater degree of protection than PHI.
You may revoke all such authorizations (of PHI or psychotherapy notes) at any time, provided each revocation is in writing. You may not revoke an authorization to the extent that (1) I have relied on that authorization; or (2) if the authorization was obtained as a condition of obtaining insurance coverage, and the law provides the insurer the right to contest the claim under the policy.
Breach Notification: “Breach” includes the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of such information in violation of the HIPAA Privacy Rule. “Unsecured PHI” includes protected health information (PHI) that is not secured through the use of a technology or methodology, such as encryption, specified by the Secretary of the U.S. Department of Health and Human Services.
When the Practice becomes aware of or suspects a breach, the Practice will conduct a risk assessment. The Practice will keep a written record of that risk assessment. The risk assessment can be done by a business associate if she/he was involved in the breach. Unless the Practice determines that there is a low probability that PHI has been compromised, the Practice will give notice of the breach to the patient. A brief description of the breach, including dates and the types of unsecured PHI involved, the steps the patient should take to protect against potential harm, and a brief description of steps Dr. Ray has taken to investigate the incident, mitigate harm and protect against future breaches. All information will be supplied by first class mail to the patient at his or her last known address.
Notice to the Department of Health and Human Services: A log of any breach is kept during the year and is provided to HHS within 60 days after that year ends. After any breach, particularly one that requires notice, the Practice will re-assess its privacy and security practices to determine what changes should be made to prevent the re-occurrence of such breaches.
III. Uses and Disclosures with neither consent nor authorization. I may use or disclose PHI without your consent or authorization in the following circumstances:
- Child Abuse: If I, in my professional capacity, have reasonable cause to believe that a minor child is suffering physical or emotional injury resulting from abuse inflicted upon him or her which causes harm or substantial risk of harm to the child's health or welfare (including sexual abuse), or from neglect, including malnutrition, I must immediately report such condition to the Massachusetts Department of Social Services.
- Adult Abuse: If I have reasonable cause to believe that an elderly person (age 60 or older) is suffering from or has died as a result of abuse (including financial exploitation), I must immediately make a report to the Massachusetts Department of Elder Affairs. I must make a report to the Disabled Persons Protection Commission and/or other appropriate agencies, if I have reasonable cause to believe that a mentally or physically disabled person is suffering from or has died as a result of a reportable condition, which includes non-consensual sexual activity (see below). I need not report abuse if you are a disabled person and you invoke the psychotherapist-patient privilege to maintain confidential communications.
- Health Oversight: The Board of Registration of Psychologists has the power, when necessary, to subpoena relevant records should I be the focus of an inquiry.
- Judicial or Administrative Proceedings: If you are involved in a court proceeding and a request is made for information about your diagnosis and treatment and the records thereof, such information is privileged under state law and I will not release information without written authorization from you or your legally-appointed representative, or a court order. The privilege does not apply when you are being evaluated for a third party or where the evaluation is court-ordered. You will be informed in advance if this is the case.
- Serious Threat to Health or Safety: If you communicate to me an explicit threat to kill or inflict serious bodily injury upon an identified person and you have the apparent intent and ability to carry out the threat, I must take reasonable precautions. Reasonable precautions may include warning the potential victim, notifying law enforcement, or arranging for your hospitalization. I must also do so if I know you have a history of physical violence and I believe there is a clear and present danger that you will attempt to kill or inflict bodily injury upon an identified person. Furthermore, if you present a clear and present danger to yourself and refuse to accept further appropriate treatment, and I have a reasonable basis to believe that you can be committed to a hospital, I must seek said commitment and may contact members of your family or other individuals if it would assist in protecting you.
- Worker’s Compensation: If you file a workers’ compensation claim, your records relevant to that claim will not be confidential to entities such as your employer, the insurer and the Division of Worker’s Compensation.
- When the use and disclosure without your consent or authorization is allowed under the Privacy Rule and the state’s confidentiality law. This includes certain narrowly-defined disclosures to law enforcement agencies, to a health oversight agency (such as HHS or a state department of health), to a coroner or medical examiner, for public health purposes relating to disease or FDA-regulated products, or for specialized government functions such as fitness for military duties, eligibility for VA benefits, and national security and intelligence.
There may be additional disclosures of PHI that I am required or permitted by law to make without your consent or authorization, however the disclosures listed above are the most common.
IV. Patient's Rights and Psychologist's Duties. Patient’s Rights:
- Right to Request Restrictions – You have the right to request restrictions on certain uses and disclosures of protected health information about you. However, I am not required to agree to a restriction you request.
- Right to Receive Confidential Communications by Alternative Means and at Alternative Locations – You have the right to request and receive confidential communications of PHI by alternative means and at alternative locations. (For example, you may not want a family member to know that you are seeing me. Upon your request, I will send your bills to another address.)
- Right to Inspect and Copy – You have the right to inspect or obtain a copy (or both) of PHI and psychotherapy notes in my mental health and billing records used to make decisions about you for as long as the PHI is maintained in the record. I may deny your access to PHI under certain circumstances, but in some cases, you may have this decision reviewed. On your request, I will discuss with you the details of the request and denial process.
- Right to Amend – You have the right to request an amendment of PHI for as long as the PHI is maintained in the record. I may deny your request. On your request, I will discuss with you the details of the amendment process.
- Right to an Accounting – You generally have the right to receive an accounting of disclosures of PHI for which you have neither provided consent nor authorization (as described in Section III of this Notice). On your request, I will discuss with you the details of the accounting process.
- Right to a Paper Copy – You have the right to obtain a paper copy of the notice from me upon request, even if you have agreed to receive the notice electronically.
- Right to Restrict Disclosures When you have Paid for Your Care Out-of-Pocket – You have the right to restrict certain disclosures of PHI to a health plan when you pay out-of-pocket in full for my services.
- Right to be Notified if There is a Breach of Your Unsecured PHI- You have a right to be notified if: (a) there is a breach (a use or disclosure of you PHI in violation of the HIPAA Privacy Rule) involving your PHI; (b) PHI has not been encrypted to government standards, and (c) my risk management fails to determine that there is low probability your PHI has been compromised.
- Right to Opt out of Fundraising Communications- You have the right to decide that you would not like to be included in fundraising communications that I may send out.
- I am required by law to maintain the privacy of PHI and to provide you with a notice of my legal duties and privacy practices with respect to PHI.
- I reserve the right to change the privacy policies and practices described in this notice. Unless I notify you of such changes, however, I am required to abide by the terms currently in effect.
- If I revise my policies and procedures, I will notice my patients in person or by mail.
V. Questions and Complaints: If you have questions about this notice, disagree with a decision I make about access to your records, or have other concerns about your privacy rights, you may contact me. If you believe that your privacy rights have been violated and wish to file a complaint with me office, you may send your written complaint or email me at email@example.com. You may also send a written complaint to the Secretary of the U.S. Department of Health and Human Services. The person listed above can provide you with the appropriate address upon request. You have specific rights under the Privacy Rule. I will not retaliate against you for exercising your right to file a complaint.